I don't seem to be able to find a direct answer anywhere in the documentation -- what is the difference between Tectia Client and Tectia ConnectSecure? Is the latter basically the former with additional capabilities, and if so, what can you do in ConnectSecure that you can't do in Client?

(Or point me to the documentation -- I did try to find the answer there first.)

What are differences between the Tectia Client and the Tectia ConnectSecure (besides both are client components)?

Tectia Client includes the following components and features:

Standard terminal and file transfer tools (CLI/GUI versions)

MVS dataset listing capability

Client daemon for automated operations

Mainframe-friendly file transfer commands (sput/sget, SITE commands)

Support for X.509v3 certificates in user/server authentication

SCEP support

CMP support

CRL support

FIPS-certified cryptographic library

Compliance with the IETF Secure Shell standards

Automatic SSH tunnels (client daemon will automatically create a localhost listener and the daemon will also automatically open the SSH tunnel when an application will connect to that localhost SSH listener)

Support for strong two factor authentication (smartcards and PKI tokens via MSCAPI/PKCS#11 and direct support for Entrust)

Native support for RSA SecurID

Native support for GSSAPI authentication (Kerberos)

Custom translation table support (byte-to-byte conversion)

Dynamic buffers for more high-speed data transfers

Pre-compiled and QA tested packages for Windows/Linux/Unix

Support for IETF RFC 4716 format keys and OpenSSH format keys

Support for modern SCP implementation (SCP using SFTP for better control)

Public key setup wizard (GUI/CLI)

Tectia ConnectSecure includes all components and features that the standard Tectia Client already has plus ConnectSecure also provides the following extra features on top of standard client functionality:

All Tectia Client features

Extended MVS streaming

File prefixing

Checkpoint/restart mechanism

CryptiCore® encryption and authentication

SFTP APIs (JAVA and C)

Transparent FTP Tunneling

Transparent FTP-SFTP conversion

Transparent TCP tunneling for Windows/Linux/Unix (encrypt application traffic without modifying applications itself): Our SSH tunneling is a bit more advanced thing than the normal SSH port forwarding as we can capture the application traffic on-the-fly thus there's no need to modify applications to connect to localhost address/port(!). You really need to try our SSH tunneling to see the difference.

That Transparent TCP tunneling in our Tectia ConnectSecure product is unique to Tectia and it allows you to tunnel random TCP based applications in a more flexible manner than what you can do with the old SSH port forwarding thing.

For instance, on Linux/Unix operating systems the advanced TCP tunneling works like follows:

ssh-capture YourApplicationBinaryName

After you have executed the previous command, the TCP/IP traffic from your application is now monitored by ConnectSecure

In ssh-broker-config.xml file you can then define filter rules which will instruct our Tectia ConnectSecure when it will tunnel that application traffic and when not.

In ssh-broker-config.xml, you can define which side (client/server) will resolve FQDNs to IP addresses. This is usually needed when you will connect to a private network (when the client cannot resolve DNS names).

In that ssh-broker-config.xml file you can also define SSH GW server settings, or you can let ConnectSecure to findout the destination (destination taken from the application, ConnectSecure will use the same IP/FQDN as a SSH server's address as the tunneled application)

For instance, you can force an application to be tunneled only when the application tries to connect to a specific IP address/FQDN (or port) and still leave connections to other destinations to go without tunneling.

ConnectSecure can also tunnel applications which are using dynamic ports or multiple ports (!!!)

By using dynamic tunneling and blocking direct plain-text application connections to the application servers, you can easily enable strong two factor authentication for your applications. In other words, all application connections would need to be tunneled and authenticated via SSH before someone could use the application. You can use this kind of method if your application doesn't support strong two factor authentication by default, or without costly customization.

On Windows, dynamic/transparent TCP tunneling is configurable via GUI and that is all that you need to do to tunnel your application traffic.